Security, based on how it is used, denotes different meanings. In telecommunications, for instance, security refers to the full establishment of communication as a result of the elimination of disruptive elements. In information technology, security refers to the distance of critical data from destructive threats, unauthorized access or unlawful usage. To some people, security and safety may mean the same thing. But there is more serious implication to the word security. It is more than just saying something is secure. Other terms that are closely related to security are continuity and reliability, the very same words that give companies a big sigh of relief. Learn the various ways to measure security effectively.
Generally, it is impossible to manage something if it cannot be measured. This is why measuring security is such an important activity in a business organization. The metrics or indicators used in gauging, serve as tools for the security personnel to distinguish the efficiency of the different mechanisms of security programs, process or products, the security of a specific system and the capacity of the employees and departments within the company to attend to the security issues for which they are accountable of. Measuring security also provides the opportunity to recognize the risk level in not taking action. It raises the security awareness within the company. And most importantly, security metrics help managers deal with questions from their execs such as “how secure are we today than before?”, “how are we in this regard compared to others” or “are we really secure enough?”.
Despite the clear functions of measuring security, it cannot be discounted that generating metrics is such a difficult task to do. People in the security industry, or those that operate security agencies, agree that the absence or reduction of security threats and attacks do not always guarantee or translate to effective security. Most of the time, it is luck that plays a greater role. But how do you measure luck? Impossible. In fact, it is not applicable. That is why security managers should not just look into their security logs for reference of successful security measures. They need to consider other aspects like vulnerability, threat and asset value as critical elements when evaluating.
Asset value usually refers to the company’s good reputation. It is said to be the easiest aspects in security to be measured. Threat, however, is harder to calculate although it helps in certain areas. Threat refers to the potential of an activity, person or occurrence to induce harm. Vulnerability, on the other hand, refers to the susceptibility of the company, including its employees, equipment, facility and even activities to any type of danger. For example, a company may employ a new computer system that will help make their data confidential. However, relying all their record keeping activities on computers will make them prone to another type of danger and that is the loss of data brought about by system failure, power shutdown or employee misuse.
Since measuring security is still at its infancy stage, many people who have constantly and fervently pushed efforts call themselves pioneers. There is still no perfect way to measure security since not a single documentation has been made about a successful practice. But you get idea, focusing on your security systems when evaluating your security programs is not enough. Consider all three elements — asset value, threat and vulnerability.